Coverage of the existing legislation addressing cybercrime, as well as cooperation of private sector and government in this realm, are reflected in this entry.So, how do we begin making policies and laws with all this uncertainty? It’s really a problem that I’m glad I don’t have to fix. However, I’m going to complain over how poorly those in power have faced it, quite gleefully. Cyber technology and the Internet has forced Congress to update almost every aspect of law: taxation, protecting children, piracy, theft and copying – it’s really interesting to note that computer piracy is not really theft, you’re not depriving the original owner of a physical entity that they once possessed; you’re copying it. So that’s had to change all that law, addressing the criminal problems that arose there.
And then laws about privacy, or perhaps the total lack thereof nowadays. But what also about the war-declaring policies? Establishing a policy here has faced significant challenges.And so, in terms you guys should be familiar with, it’s the Convention on Cybercrime (see left-hand image). It’s happened in 2001, and I think it’s happened a number of times since then. It’s effectively the first international treaty seeking to address computer crime and Internet crimes. It did this by making strides to harmonize laws. That means, basically, making laws compatible with each other across the nations, and to also make efforts to improve investigator techniques.
At that time it was a complete failure, the latter part – improving investigator techniques. Attribution on the Internet is really hard, because there’s no identification requirement to use the Internet, and you’ll hear all sorts of advocates for all sorts of different solutions here requiring people to have a universal ID to use the Internet, so there’s no more anonymity and anonymity is dead, and then using TPM to establish that. I don’t know about that.
And also in this convention, the foremost thing they tried to do is increase cooperation among nations and stop fighting. So, as of 2010, 30 states had signed and ratified this treaty and have it enacted in their law. The US is one of them; I believe China and Japan are ones too, so that’s really interesting to think about. Also at the time 16 states had signed but had not ratified it in their law.So since we’re agreeing to basically play ball, let’s talk about the breakdown of responsibility the US government has for securing the Internet (see right-hand image). The DoD is responsible for .mil, and DHS is responsible for .gov. But who’s responsible for .com and policing that? How do you even go about suggesting who should do this? If a government agency or department does this, is the private sector expected to cooperate with them? And if so, you’re going to have trust problems; even if it’s DHS, and especially understandably if it’s NSA.
What if compromised private sector systems are used to attack the .gov and the .mil systems? Distrust has been overcome; distrust issue has been conquered in the past. When Google was being attacked by Chinese actors or actors originating allegedly in China, they went to the NSA for help allegedly – I only found rumors of this.Now think about why it would only be kept as rumors, and you don’t go out and say it? Your customers use you because they value the sense of privacy they get with your services. When you go and cooperate and collaborate with a government agency, it can ruin that value that they have in your service. So you have problems here. Perhaps the only way to do it is to do it in secret, to collaborate in secret.
Let’s talk about the extent to which they can collaborate, though. Cooperation is hindered by corporations’ unwillingness to share with their competitors or the government. You can’t just bring Google, Microsoft, Apple and all these people in the same room, and someone from NSA or DHS at the table, and expect them to fully cooperate without disclosing perhaps details on their own security setup, as these details can be used by their competitors against them.
Likewise, government is unable to disclose classified data or sensitive data – maybe they actually have the inside knowledge, they have a mole on the enemy team, and this team is hitting all these private sector companies; and they actually have all the info on their mottos, their goals and state objectives, but they can’t share that because it’s classified. So, they can’t share classified and sensitive data, so they are limited to how much they can disclose. And even then, if you get this level of cooperation, you’re going to have a very real fear these companies will have public backlash.